blob: 127c38383dd8463f4ca7afb1d6b68d69d269a9bc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
# SPDX-FileCopyrightText: 2024 Matthew Fennell <matthew@fennell.dev>
#
# SPDX-License-Identifier: AGPL-3.0-only
---
- name: Ensure XMPP server is set up
hosts: xmpp_server
tasks:
- name: Ensure required packages are installed
ansible.builtin.package:
name:
- borgmatic
- certbot
- prosody
- prosody-modules
- python3-certbot-apache
- ufw
state: present
become: true
- name: Ensure required ports are open
community.general.ufw:
rule: allow
name: "{{ item }}"
state: enabled
loop:
- OpenSSH
- WWW
- XMPP
become: true
- name: Ensure certbot on-renew hook is installed
ansible.builtin.copy:
src: "{{ playbook_dir }}/files/on_renew.sh"
dest: /etc/letsencrypt/renewal-hooks/deploy/prosody.sh
owner: root
group: root
mode: "0755"
become: true
- name: Ensure certificates are installed
ansible.builtin.command: >-
certbot --non-interactive --agree-tos --post-hook "/bin/true"
--email {{ certbot_email }} --no-eff-email --apache
--domains {{ virtual_host }}
become: true
register: certbot
changed_when: "'Running post-hook command' in certbot.stdout"
- name: Ensure top-level prosody configuration is installed
ansible.builtin.copy:
src: "{{ playbook_dir }}/files/prosody.cfg.lua"
dest: /etc/prosody/prosody.cfg.lua
owner: root
group: prosody
mode: "0640"
become: true
notify: Reload prosody
- name: Ensure host-specific prosody configuration is available
ansible.builtin.template:
src: "{{ playbook_dir }}/files/virtual_host.cfg.lua.j2"
dest: "/etc/prosody/conf.avail/{{ virtual_host }}.cfg.lua"
owner: root
group: prosody
mode: "0644"
become: true
notify: Reload prosody
- name: Ensure host-specific prosody configuration is set
ansible.builtin.file:
src: "/etc/prosody/conf.avail/{{ virtual_host }}.cfg.lua"
dest: "/etc/prosody/conf.d/{{ virtual_host }}.cfg.lua"
owner: root
group: prosody
state: link
become: true
notify: Reload prosody
- name: Ensure prosody is enabled
ansible.builtin.service:
name: prosody
enabled: true
become: true
- name: Ensure borgmatic private key is installed
ansible.builtin.copy:
src: "{{ borg_private_key_path }}"
dest: /root/.ssh/borg_key
owner: root
group: root
mode: "0600"
become: true
- name: Ensure borgmatic config directory exists
ansible.builtin.file:
path: /etc/borgmatic
state: directory
owner: root
group: root
mode: "0700"
become: true
- name: Ensure borgmatic is configured
ansible.builtin.template:
src: "{{ playbook_dir }}/files/borgmatic_config.yaml.j2"
dest: "/etc/borgmatic/config.yaml"
owner: root
group: root
mode: "0600"
validate: validate-borgmatic-config --config %s
become: true
handlers:
- name: Reload prosody
ansible.builtin.service:
name: prosody
state: reloaded
become: true
|
